Solved

All personal files are encrypted with .aimmkvi from virus attack

Posted on 2015-02-19
23
231 Views
Last Modified: 2015-04-05
Hi,

I am writing to seek some advice on an issue which brought to me by one of my clients.

The problem which my client is facing at the moment is that their computer has been infected with bit locker or ransome virus. All their personal data are encrypted. This includes their personal photos, documents, important files which consist of their personal loan documents, and much more.

Upon receiving the computer (after the client had called me to have a look) – the husband already and probably had removed the bit-locker .exe by running a paid-spyhunter programme onto the system.

I got to the client’s house a few days later and ran a few utilities such as Malwarebytes and other tools to scan the system. I also re-ran the spyhunter (the one he had purchased) but found no viruses nor infections as he had already done it then. I have also restored the computer to the previous dates or back to the only-date stored on the system but it still does not bring back their previous files – the files are still encrypted. I even right click on the encrypted file to choose previous versions but there aren’t any previous versions available via each infected file.

This is something I’ve never come across before. However when I did some research online, there are so many informations which doesn't even show me how to decrypt back the original files. So i take - this kind of problems can not be fixed.

The clients computer is with me now, waiting to be fixed. Also the clients advised me prior to how the problem started; the son (8 years) downloaded a game online (he normally does and he had downloaded games before with no problem) and installed and found that the pc is infected after the installation (by bit-locker). The father advises that there are no backups in place. They are really desperate to get all their files back (decrypted).

All their files are infected with the ramsome and all files ends with prefixed .aimmkvi

I thought I write to you if you can look into how to fix these kinds of problems but moreover, providing solutions on how to decrypt the files back to its normal conditions.

Thanks and I look forward for a favorable response.
0
Comment
Question by:Bakaka
  • 6
  • 6
  • 4
  • +2
23 Comments
 
LVL 23

Accepted Solution

by:
Eirman earned 250 total points
Comment Utility
Please refer to this similar question ....
http://www.experts-exchange.com/Software/Anti_Spyware/Q_28610571.html

I don't think the files are lost (unless you pay the ransom ...... perhaps. #Not recommended#)

Sometimes "old versions" of files might be available.
0
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 250 total points
Comment Utility
The only solution that exists in restoring from backup. Since they do not use backups, it has to be reinstalled from scratch. Any attempt to clean the existing system cannot be relied on as a rootkit may still exist.
0
 
LVL 23

Expert Comment

by:tailoreddigital
Comment Utility
There is nothing you can do but pay the ransom.  Once encrypted the files can only be decrypted by the holder of the key.    

This is a lesson learned the hard way, to have a backup.    Now-a-days drives are so big, in other words you can have so much stuff on a drive that there should always be a backup. Especially if the data is important.
0
 
LVL 17

Expert Comment

by:OriNetworks
Comment Utility
Paying a random is not a solution. It is a gamble and not a recommended option because not only are you contributing to their cause, and who knows what they use the money for, but there is also no guarantee that they will send a decryption key, or that it can even be done since they system has already been 'cleaned'
0
 
LVL 23

Expert Comment

by:Eirman
Comment Utility
link to old versions mentioned above.
0
 

Author Comment

by:Bakaka
Comment Utility
@ Eirman - that post URL is me too.

The problem still did not fix after i consult with the owner of the PC that he did not have backup in place.

So what is the solutions here:
Some say dont pay the ransome as you will not get the key back.

Some say pay and you'll get the key back.

I guess then there is no way to get the files back right?
0
 
LVL 23

Expert Comment

by:tailoreddigital
Comment Utility
I wouldn't recommend paying it either, but it's the only potential way to decrypt the files.    

Like i said, this is just a lesson learned the hard way.     I bet your client has a backup after this.
0
 
LVL 17

Expert Comment

by:OriNetworks
Comment Utility
I will say it again, no reliable way. Paying a ransom is no guarantee especially since the system is 'cleaned'
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
DON'T pay!  It is too late anyway.  The user has deleted the necessary files from the system in order for the decryption key to work.  Is the data even worth the price? Check preev.com for a bitcoin converter.  Once it has been "cleaned" as stated above, it is very unlikely that this will work at all.
0
 

Author Comment

by:Bakaka
Comment Utility
@Thomas, the Data is very very very and very WORTH THE PRICE!

There are wedding photos, personal loan documents, land lease and the top list goes on.

So i take - there is no solutions here then?

I wonder if i recover the PC-HDD. Will it bring back all the original files?

This is just my suggestions.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
As far as I know, if this is indeed an encryption infection, the user had to initiate it and there is no way other than restoring from backup or shadow copy to retrieve the files.  Does the user have any form of versioning backup (even dropbox would eventually get the files back that were stored there although it is certainly not the best solution)?  Check out my articles on backup and pay special attention to the cloud backup options with versioning:

http://www.experts-exchange.com/Software/Backup_Restore/A_16059-Backing-up-more-than-a-necessity.html

http://www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html

If you read those articles you will see I am a firm believer in having up to date backups.  I have CrashPlan (family version) on my home computers and have it set to backup new files and changes every 15 minutes.

DISCLAIMER:  I am NOT in any way affiliated with products mentioned in this post or in my articles.  I am just a satisfied user.
0
 
LVL 23

Expert Comment

by:Eirman
Comment Utility
I wonder if i recover the PC-HDD. Will it bring back all the original files?
Presuming you are talking about the recovery partition .....
This recovery option will give you a clean system with NO data or software.
You will need to do this at some point anyway.

The paying of ransom is an ethical issue. If no one ever paid, it would disappear.
I'm including kidnapping in this comment.
Parents often contravene the law by secretly paying ransom to kidnappers.
If it's your kid (or data in your case) it's difficult to be logical ..... and take the never pay attitude.

You could communicate with the hackers,
then for a very small fee they could demonstrate their ability to decrypt one file,  and work from there.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Make sure you can indeed decrypt the data if you are going to go that route. My impression from the initial read of your post was that the computer had already been cleaned, in which case the necessary data to unencrypt the files, even if you pay the ransom, may have been deleted.
0
 

Author Comment

by:Bakaka
Comment Utility
This problem is very difficult to deal with, since there are no back-ups implemented. This is a lessons learned for most of us particularly those non-literate-computer-users.

Thanks Thomas - i have taken those URL for backup purposes. Note taken.

This is probably and the last lessons-learned this family will ever go through again as they now considering a fully-back-up system in place once their computer is back to them.

And i totally agree, who knows what the heck these hackers are doing once you approach them for paying the decryption-key. They might even trick you more. I will never even go that route.

I would be very happy to give a door open for remote control to further investigate the problem.

If i can't fix it and you can't either then the world is a MYSTERIOUS
0
 
LVL 17

Expert Comment

by:OriNetworks
Comment Utility
I'm very sorry to see another family going though this situation. I wish I could be of more help.

One possible option is to bring the drive to a data forensics/extraction company to see if they can retrieve any files in any way but if you were to go that route I would keep power off on the computer and bring it asap to prevent additional overwrite of any data.

As an additional note, for anyone reading this also note that:
1. Versioned backups are critical. If a backup is fine one time, computer gets infected and overwrites the file on the next backup, you're still screwed because now the backup file has been overwritten with invalid data.
2. Make sure the backup drive is not permanently connected to the computer. When the infection occurs, the malware will scan all connected drives for files to encrypt, including the USB backup drive people leave plugged in or mapped NAS network drives people leave on the network. I know having these devices connected helps automate the process but it also has risk.
0
 
LVL 23

Expert Comment

by:Eirman
Comment Utility
One possible option is to bring the drive to a data forensics/extraction company to see if they can retrieve any files
That's highly unlikely to work on files that aren't lost .... just encrypted.
It's expensive too.
0
 

Author Comment

by:Bakaka
Comment Utility
I agree Eirman.

The point here and only solutions that we can get out of this trouble is to accept the lessons-learned.

The family who owns this, wont even go that route as the service would be more expensive.

I take that this issue won't be resolved as there are none of the suggestions are able to tackle this problem.

Prior to this or posting the issue. I have also already advised and informed the owner that he must put a Backup in place for future. One that such no connections to the PC itself.

I will return the PC now to the owner and explain that he needs to accept this as there are no ways to decrypt back his data.
0
 
LVL 17

Expert Comment

by:OriNetworks
Comment Utility
I absolutely agree the likelihood of finding anything is slim but if they are willing to pay money, I would think this is their only option in the hope of getting ANY data.
0
 
LVL 17

Expert Comment

by:OriNetworks
Comment Utility
0
 

Author Comment

by:Bakaka
Comment Utility
Thanks, they have already told me too that they cant afford the service hence why i posted and asked the community here.

Also, i have done a research and have contacted the fireeye.com as well as fox-it but confirmed that they cannot help or troubleshoot this issue (decrypt the files) as its not a cryptolocker but rather a bit-locker.

I tried and upload the encrypted file via the portal..........decryptolocker.com but it didnt wokr as the encryption-prefixed aren't associated with the cryptolocker file type.

Its ok, at least anyone who is reading is aware that situations such as this is very difficult to dealt with.
0
 

Author Comment

by:Bakaka
Comment Utility
this is because nobody can solve this problem. that is basically it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now